Object locking can be managed in the control panel, through S3 API, and tools that use it—for example, AWS CLI.
Retention-period lock
Check for a retention-period lock
If you have segmented objects, you cannot check for locks on individual segments; you can only check the lock on the object itself. Segments inherit the lock settings applied to the object.
Control panel
AWS CLI
In the control panel, on the top menu, click Products and select S3.
Go to the Buckets section.
Open the bucket page → Objects tab.
Open the object page.
In the Object Lock block, check the retention-period lock status.
Open the CLI.
If you want to check the lock for a specific object version:
<path_to_object> — path to the object in the bucket.
2.2. Copy the ID of the required object version from the VersionId field.
Check for the lock:
aws s3api get-object-retention \
--bucket<bucket_name>\
--key<path_to_object>\
--version-id <version_id>
Specify:
<bucket_name> — bucket name;
<path_to_object> — path to the object in the bucket;
optional: --version-id <version_id> — parameter specifying a specific object version. Here, <version_id> is the version ID copied in step 2.2. If this parameter is not specified, the lock is checked for the current object version.
Enable retention-period lock
If both a retention-period lock and a legal hold are enabled for an object, the legal hold takes precedence.
<path_to_object> — path to the object in the bucket;
optional: --version-id <version_id> — parameter specifying a specific object version. Here, <version_id> is the version ID copied in step 2.2. If this parameter is not specified, the lock is applied to the current object version;
<lock_mode> — lock mode. Possible values are GOVERNANCE or COMPLIANCE;
<date> — date until which the object is locked, in ISO 8601 format, for example, 2025-09-06T00:00:00Z. The lock duration cannot exceed one year or 365 days.
Change the retention-period lock duration
If the lock mode is set to:
Governance — the lock duration can be shortened or extended;
Compliance — the lock duration can only be extended.
Control panel
AWS CLI
In the control panel, you can only extend the lock duration. To shorten the duration, use S3 API or tools that use it—for example, AWS CLI.
In the control panel, on the top menu, click Products and select S3.
Go to the Buckets section.
Open the bucket page → Objects tab.
Open the object page.
In the Object Lock block, in the Retention-period lock row, click Edit.
Specify the new lock duration.
Click Save.
To change the lock duration, use the Enable retention-period lock subsection and specify the new value in the RetainUntilDate field.
Change the retention-period lock mode
You can only change the lock mode from Governance to Compliance.
Control panel
AWS CLI
You cannot change the retention-period lock mode in the control panel. Use S3 API or tools that use it—for example, AWS CLI.
You can only disable a retention-period lock in Governance mode.
Control panel
AWS CLI
Only the Account owner or a user with the member role can disable the retention-period lock in the control panel.
In the control panel, on the top menu, click Products and select S3.
Go to the Buckets section.
Open the bucket page → Objects tab.
Open the object page.
In the Object Lock block, in the Retention-period lock row, click Edit.
Uncheck the Lock object checkbox.
Click Save.
The Account owner, a user with the member role, or a user with another role with S3 access can disable the retention-period lock via AWS CLI if the access policy allows the actions3:BypassGovernanceRetention.
Open the CLI.
If you want to disable the lock for a specific object version:
<path_to_object> — path to the object in the bucket.
2.2. Copy the ID of the required object version from the VersionId field.
Disable the lock:
aws s3api put-object-retention \
--bucket<bucket_name>\
--key"<path_to_object>"\
--version-id <version_id>\
--retention'{}'\
--bypass-governance-retention
Specify:
<bucket_name> — bucket name;
<path_to_object> — path to the object in the bucket;
optional: --version-id <version_id> — parameter specifying a specific object version. Here, <version_id> is the version ID copied in step 2.2. If this parameter is not specified, the lock is disabled for the current object version.
Legal hold
Check for a legal hold
If you have segmented objects, you cannot check for locks on individual segments; you can only check the lock on the object itself. Segments inherit the lock settings applied to the object.
Control panel
AWS CLI
In the control panel, on the top menu, click Products and select S3.
Go to the Buckets section.
Open the bucket page → Objects tab.
Open the object page.
In the Object Lock block, check the legal hold status.
Open the CLI.
If you want to check the lock for a specific object version:
<path_to_object> — path to the object in the bucket.
2.2. Copy the ID of the required object version from the VersionId field.
Check for the lock:
aws s3api get-object-legal-hold \
--bucket<bucket_name>\
--key<path_to_object>\
--version-id <version_id>
Specify:
<bucket_name> — bucket name;
<path_to_object> — path to the object in the bucket;
optional: --version-id <version_id> — parameter specifying a specific object version. Here, <version_id> is the version ID copied in step 2.2. If this parameter is not specified, the lock is checked for the current object version.
Enable legal hold
If both a retention-period lock and a legal hold are enabled for an object, the legal hold takes precedence.
Control panel
AWS CLI
In the control panel, on the top menu, click Products and select S3.
Go to the Buckets section.
Open the bucket page → Objects tab.
Open the object page.
In the Object Lock block, enable the legal hold.
Open the CLI.
If you want to lock an object version other than the current one:
<path_to_object> — path to the object in the bucket.
2.2. Copy the ID of the required object version from the VersionId field.
Lock the object:
aws s3api put-object-legal-hold \
--bucket<bucket_name>\
--key<path_to_object>\
--version-id <version_id>\
--legal-hold '{"Status": "ON"}'
Specify:
<bucket_name> — bucket name;
<path_to_object> — path to the object in the bucket;
optional: --version-id <version_id> — parameter specifying a specific object version. Here, <version_id> is the version ID copied in step 2.2. If this parameter is not specified, the lock is applied to the current object version.
Disable legal hold
Control panel
AWS CLI
In the control panel, on the top menu, click Products and select S3.
Go to the Buckets section.
Open the bucket page → Objects tab.
Open the object page.
In the Object Lock block, disable the legal hold.
Open the CLI.
If you want to disable the lock for an object version other than the current one:
<path_to_object> — path to the object in the bucket.
2.2. Copy the ID of the required object version from the VersionId field.
Disable the lock:
aws s3api put-object-legal-hold \
--bucket<bucket_name>\
--key<path_to_object>\
--version-id <version_id>\
--legal-hold '{"Status": "OFF"}'
Specify:
<bucket_name> — bucket name;
<path_to_object> — path to the object in the bucket;
optional: --version-id <version_id> — parameter specifying a specific object version. Here, <version_id> is the version ID copied in step 2.2. If this parameter is not specified, the lock is removed from the current object version.